Tuesday, July 28, 2009

Can we do the Security Stack API RESTfully? (Part 2)

This section deals with expressing the actual policies of the provider organization, obviously a complex information set to represent, so this will require a lot more detail and thinking. I think it's best that we use ISO27002 (the next version of ISO17799) given that it's the root standard from which all other compliance standards are derived; additionally

/ssapi/ISO27002/ - returns a list of sub-elements for the standard, immediate descendants only

/ssapi/ISO27002/@all - returns an XML payload with values and freshness for all descendants

this API should be a generic interface for exposing both technical and organizational security information

the API is a standardized framework for exposing information and while it won't replace existing approaches, it will ease users ability to ask for that information and get an answer that matches their expectations

vendors will populate data to different parts of the stack, vendors that can't respond to certain parts of the API (for example, a Cisco ASA firewall can't opine on your policy for asset management) shouldn't be considered non-compliant

there exists a need for an aggregator entity that collects stack information from distributed elements (maybe a firewall here, an IPS there, a compliance system somewhere else)

the stack should not explicitly disclose information about the security state of system (at least not to guests in the environment or the unwashed masses), that's pointedly unsafe. However, the stack may unintentionally leak information that could be useful to an attacker. For example, the stack should never say - "I'm not patched against CVE-2012-435", but it may say "my patching policy is within 4 hours", which tells an attacker their window of opportunity - we'll have to think about this topic a lot more.

Twitter

Twitter

Plain Text Disclaimer

The thoughts on this blog are mine (or at least the derived versions thereof are) and I take responsibility for them.

I have an employer, a good employer that treats me kindly, but it's important to note that nothing I say is in any way reflective of their opinion on any matter nor should anyone think that I am speaking on their behalf. They have an official website and media people for that.

That same said employer sells stuff, not least of all my time as a consultant, but this is something I do on my own time because it's fun and of personal interest to me.